+---------+ | Root CA | +---------+ /\ / \ / \ / \ / \ / \ / \ / \ +-----------+ +-----------+ | Server CA | | Client CA | +-----------+ +-----------+
Given the above CA hierarchy, how can I configure a (server) SSL_CTX to accept connections *only* from clients which present a certificate signed by the Client CA? As is well documented, I cannot simply trust the Client CA. SSL_accept() will fail, because it cannot form a certificate chain all the way to the self-signed Root CA. I have found, however, that adding the Root CA certificate to the trusted certificate file/directory causes certificates signed by the Server CA to be accepted as well. (The client has to present both its certificate and the Server CA certificate, but it is able to connect.) So how can I do this? Thanks! -- ======================================================================== Ian Pilcher arequip...@gmail.com Sometimes there's nothing left to do but crash and burn...or die trying. ======================================================================== ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org